Transcript

1.
University of Michigan Electrical Engineering and Computer Science Handout 2EECS 598-008: Medical Device Security January 9, 2013Instructor: Kevin Fu Course Information Instructor: Prof. Kevin Fu Room BBB 4628, 616–594–0385, kevinfu@umich.edu Oﬃce Hours Mondays: 12:00–1:00PM or by appointment (Please CC calendar requests to Quinn Stewart, qunstwrt@umich.edu) Web page: http://eecs.umich.edu/courses/eecs598-008/1 OverviewThis graduate-level course teaches students the key engineering concepts and skills for creatingmore trustworthy software-based medical devices ranging from pacemakers to radiation planningsoftware to mobile medical apps. Topics span computer engineering, human factors, and regulatorypolicy. Students will master technical skills such as reverse engineering, static analysis, fuzz testing,hazard analysis, validation, requirements engineering, radio-frequency communication, physiologi-cal sensing, and fundamental concepts from system engineering that lead to safer and more eﬀectivemedical devices that are increasingly interconnected and wirelessly controlled. Students will apply the newly learned concepts and skills by analyzing the security of a real-world medical device in a hands-on term project. Interdisciplinary teams (when possible) willconsist of students from complementary backgrounds to mimic the composition of teams at med-ical device manufacturers and regulatory bodies. Occasional guest speakers from medical devicemanufacturers, hospitals, and government will complement the classroom activities with criticallessons from the front lines.Intended audience. This 3-credit course is designed for graduate students in Computer Scienceand Engineering and upper-level undergraduates with appropriate computing background (e.g.,excellent grades in EECS 280, EECS 370, or EECS 388 would suﬃce). Students from ECE,Informatics, BME, and IOE are especially welcomed, as are medical students with appropriatecomputing experience. Students without computing experience are welcome to audit the courseafter registering for visiting credit.Prerequisites. Students are expected to have graduate-level standing or permission of the in-structor. There are no other formal prerequisites because this course is highly interdisciplinary. Noone would have all the prerequisites across all the skill sets!Time and location. Lectures are held in Dow 1010 on Mondays and Wednesdays from 10:30 AMto 12:00 PM. Note that the room number is decimal, not binary. Don’t get lost like the instructor.A schedule of topics is posted on the Web site.

2.
2 Handout 2: Course Information2 Textbook: A Course ReaderThere is no textbook for this course. Instead, we have arranged for a course reader that providesexcerpts from several hard-to-ﬁnd and out-of-print sources. The course reader is $57.09 availablevia Dollar Bill Copying (dollarbillcopying.com). You may order the book online for shipment,or order online for pickup at their store near Central Campus (Dollar Bill Copying, 611 ChurchStreet, Ann Arbor, MI). Copyright licensing is the primary cost of the reader. To keep costs low, we have not printedthe documents that are already available online. We were unable to secure copyright licenses toprovide electronic copies of the course reader, but please let the instructor know if you ﬁnd anyfreely available versions online. If you have a ﬁnancial hardship that makes it diﬃcult to purchase the course reader, please askthe instructor about other options.3 Grades and methods of evaluationStudents will be evaluated based on a group term project, individual problem sets, in-class exams,and class participation. The assignments will involve a balance of team and individual work rangingfrom hands-on labs to technical writing. Grading is weighted as follows: Group project 40% Individual homework/labs 30% Two in-class exams 20% Class participation 10%Passing the class is not possible without completing the ﬁnal project and participating in class,regardless of your other grades.3.1 ExamsThere will be two in-class exams during the semester. Exams are closed book. The intent of eachexam is to test your understanding of the material from the readings and lectures. Each exam isnot intended to be a comprehensive or cumulative exam, but you may need to understand pastmaterial to answer exam questions that build on past material. If you miss an exam for reasons other than a documented medical or personal emergency, youwill receive a zero for that exam. If you anticipate a conﬂict with an exam time, talk to theinstructor at least one month before the exam date to schedule an oral exam. Exam dates are givenat the beginning of the semester so you can avoid scheduling job interviews or other commitmentson those days. Outside commitments are not considered a valid reason for missing an exam.3.2 HomeworkIndividual homework will consist of both technical essays responding to research papers, and hands-on homework assignments related to technical problem solving. Due dates will appear on the Website.

3.
Handout 2: Course Information 3 Technical essays are one-page responses to a technical question relating to assigned readingmaterial. The essay should follow strategies for eﬀective technical writing. The essays will begraded on both the quality of writing as well as the eﬀectiveness of the technical argument. Yourresponses should ﬁt comfortably on one page, and have no more than 400 words. Paper responsesare due before the start of lecture. At 10:40 AM, a homework assignment will be considered late.Submit your PDF responses (no Word docs allowed) via CTools. Absolutely no collaboration is allowed on the essays; see the plagiarism policy later in thisdocument to avoid failing the course.3.3 Group projectMedical devices are created by interdisciplinary teams. Thus, this course has a group project. Wewill assign you team partners and will attempt to balance various constraints such as schedulingand ensuring a team of diverse technical skills. Each team will have 3–4 members. You will be responsible for organizing team meetings aroundyour many schedule constraints. Eﬀective teamwork is essential. We will spend class time discussinghow to be a good team partner. Similar to other EECS courses, we expect all group members tocontribute their fair share, and we expect to assign the same project grade to all members of agroup. To help ensure this, group members will evaluate the contributions of other group membersafter each project. Members who contribute less than their share may receive a lower grade on theproject; non-contributing members will receive a zero. In case of disputes regarding contribution,an instructor may interview group members.You’re ﬁred. Students may be ﬁred from a group by the majority vote of the remaining members.The procedure for this is as follows: (1) documented “gentle warning” of risk of ﬁring in e-mail,with CC to all group members and to kevinfu@umich.edu, with cause and speciﬁc work requiredto remain in group; (2) allow at least 72 hours for compliance; (3) if the problems persist, e-mailstatement of ﬁring to the group and to kevinfu@umich.edu. Fired group members may join anothergroup; students who cannot ﬁnd a group must complete the remaining project by themselves. Managing group dynamics and using each group member’s time and talents eﬀectively can bediﬃcult. If there are problems with your group, please see the instructor as soon as possible. Beopen and candid with your group about potential problems early on so your group can plan aroundthose problems and not fall behind. A sure way to make your group upset at you is not ﬁnishingyour work at an agreed-upon deadline and not informing them about the problems early enoughfor them to help. We encourage everyone to read “Coping with hitchhikers and couch potatoes onteams” by Barbara Oakley.Options for group projects. 1. Reproduce the results of a medical device security research paper (e.g., run your own exper- iment or run your own simulation). Suggested venues from which to draw papers include the USENIX Security, IEEE Symposium on Security & Privacy (aka Oakland), ACM CCS, NDSS, SIGCOMM, and USENIX HealthSec/HealthTech. Check with the instructor if you have a passion for a diﬀerent venue and seek permission to use a paper for your project.

4.
4 Handout 2: Course Information 2. Thoroughly analyze the security and privacy of a medical device. I presently can provide access to a large collection of both implantable and bedside medical devices for analysis. I can also provide binaries and source code to a few interesting medical devices. This choice is much more open ended. The advantage is that there is more room for creativity, but the danger is that the problem is very open ended and could result in disaster if the project does not work out in the end. A team should come to oﬃce hours to discuss this option. No two teams may choose the same project. Don’t worry—there are enough to go around.Components and milestones. Project milestones will be spaced throughout the semester tomake sure everyone keeps up. The best possible outcome of a class project is a publishable researchartifact. You may not, however, receive credit for the same project twice, e.g. by undertaking anindependent study for the same outcome. There are four components to your project grade: a project proposal, a midterm status report,a ﬁnal project report, and a project presentation. The due dates for each of these milestones willappear on the course Web page. You cannot pass the project unless each is completed. Communicate with your teammates! Lack of communication could result in a dysfunctionalteam that risks failing the class. If you have tried repeatedly to communicate with an unresponsiveteam member, contact the instructor before the problem becomes unmanageable.Project proposal due February 4 (20%). Your proposal should explicitly state the problemyour project will address, your project’s goal and motivation, related work, the methodology andplan for your project, and the resources needed to carry out your project. Be sure to structure yourplan as a set of incremental milestones and include a schedule for meeting them. Part of the gradewill involve peer review; we will pseudorandomly assign another team to provide a constructivecritique of your proposal.In-class mini oral report due February 27 (5%). Team will give in-class, oral presentations(5 minutes max) explaining the outputs and outcomes so far, the wrong turns, and the changes inresponse to the proposal feedback.Status report due March 25 (25%). Your status report should contain enough data andanalysis to show that your project is on the right track. You should append a copy of your origi-nal proposal with instructor comments, along with any surprising results or changes in direction,schedule, etc. You should also have a reﬁned version of the problem statement and goals, as wellas a more developed related work section. Part of the grade will involve peer review; a diﬀerentteam will provide a constructive critique of your status report.Final report and Presentation due April 22 (50%). A ﬁnal report describes your researchproblem, contributions, results, and analysis. You will present your research problem, analysis, andresults in a brief presentation. The presentation may include a system demo if appropriate. Theﬁnal report must include a paragraph explaining, for each team member, their contributions andduties in the project. Part of the grade will involve peer review; students will provide a constructivecritique of presentations.

5.
Handout 2: Course Information 5Peer Rating of Team Members (weighting factor) To encourage team members to con-tribute to the success of the project, individual grades will take into account peer ratings fromeach team member. Ratings are excellent, very good, satisfactory, ordinary, marginal, deﬁcient,unsatisfactory, superﬁcial, and no show. The course staﬀ will use the peer feedback as a weightingfactor for individual grades for the team project. We provide the following examples of weightingfactors. A student receiving all “excellent” or “very good” ratings would receive a 100% weightingfactor for the team grade. A student receiving all “ordinary” ratings would receive a 75%. Astudent receiving all “deﬁcient” ratings would receive a 50%. Universal ratings of superﬁcial or noshow would result in a zero for the team project. Your report should follow the structure of a research paper. Your presentation should followthe structure of a research talk. We will discuss how this is done in class.3.4 Class participationStudents can participate in class in several ways. At the beginning of class, students will havethe opportunity to present a 5-minute talk on a research-worthy, intellectually-stimulating topic inmedical device security that is thematically related to the topic of the day (but not the assignedreading). The material could draw upon one of the optional papers, or a paper that you ﬁnd. Youmay sign up for a time slot. Students can also engage in discussion during class and on the classdiscussion forum. Quality rather than quantity counts most in this subjective evaluation. One canalso gain class participation credit by signing up to “shepherd” other teams’ projects. That is, youcan provide feedback on write-ups.4 Policies4.1 LatenessEach student is granted one “penalty free” late pass for turning in a homework assignment. Youneed not provide any excuse. A free late means you may turn in the homework by 10:40 AM onthe day of the next class without penalty. We will strictly enforce the deadline; we do not want toencourage lingering on old assignments that delay new assignments. Homeworks will be acceptedonly as emailed PDF ﬁles. The turn in date is when we receive the message, not when yousend it. Any late homework beyond your one freebie will result in a zero grade. Late freebies mayNOT be used for any of the term project assignments. A late ﬁnal project assignment (i.e., theproposal, status report, or ﬁnal report) will have a 20% grade reduction for each late weekday(10:41 AM).4.2 Ethics, Law, and University PoliciesThis course shares the same ethics guidelines as EECS 588 (Computer and Network Security). To defend a system you need to be able to think like an attacker, and that includes understandingtechniques that can be used to compromise security. However, using those techniques in the realworld may violate the law and the university’s computing practices, or may be unethical. Youmust respect the privacy and property rights of others at all times, or else you will fail the course.Under some circumstances, even probing for weaknesses may result in severe penalties, up to andincluding civil ﬁnes, expulsion, and jail time.

6.
6 Handout 2: Course Information Before engaging in any security analysis, carefully read the Computer Fraud and Abuse Act(CFAA),1 a federal statute that broadly criminalizes computer intrusions. This is just one of severallaws that govern hacking. The EFF provides helpful advice on vulnerability reporting2 and otherlegal matters3 . Contact the instructor if you have any concerns. Please also review CAEN’s policy document4 on rights and responsibilities for guidelines con-cerning use of technology resources at U-M. As members of the university, you are required toadhere to these policies.4.3 Collaboration and plagiarismAll projects in this course are to be done by your own group and in accordance with the College ofEngineering Honor Code5 . Violation will result in a zero on the project in question and initiationof the formal procedures of the Engineering Honor Council. We will use automated programs andmanual checks to correlate projects with each other and with prior solutions. (obviously this yearthere are no prior solutions.) You may discuss material with others, but your writing must be your own. When in doubt,contact the instructors about whether a potential action would be considered plagiarism. When discussing problems with others, excluding projects, do not show any of your writtensolutions to others, including code. Do not take notes about the solution other than to jot downpublicly available references. Use only verbal communication. Using someone else’s code or API is forbidden. You may use publicly available code (librariesand open source material) if code was published before we assigned the work. If you ﬁnd code thattrivially solves some problem we have assigned, we expect you’ll tell us where so that we learn thehomework assignment is moot. If you do discuss material with anyone besides the instructors, acknowledge your collaboratorsin each write-up. If you obtain a key insight with help (e.g., through library work or a friend),acknowledge your source, brieﬂy state the insight, and write up the solution on your own. In mostof your write-ups, we expect to see citations. We cannot emphasize enough that you MUST cite all your sources properly. You mustremove any possibility of someone else’s work from being misconstrued as yours. We consider thefacilitation of plagiarism (giving your work to someone else) as plagiarism as well. If we detect twohomework assignments that share text, both persons will be disciplined. Investigating plagiarism is a pleasant experience for neither instructor or student. Please helpus by avoiding any questionable behavior. Please come see us anytime if you are unable to keepup with the work for any reason and we will work something out. We want to see you succeed andwill do everything we can to help you out! 1 http://www.law.cornell.edu/uscode/18/1030.html 2 https://www.eﬀ.org/issues/coders/vulnerability-reporting-faq 3 https://www.eﬀ.org/pages/grey-hat-guide 4 http://www.engin.umich.edu/caen/policies/ 5 http://www.engin.umich.edu/students/honorcode/code